[redhat-lspp] IPSec Configuration doc

Paul Moore paul.moore at hp.com
Thu Nov 16 19:56:37 UTC 2006 

Joy Latten wrote:
> Klaus requested some basic steps and info for
> configuring labeled ipsec. I started and came up with 
> the following which can later be used to assist those
> new to labeled ipsec and wishing to understand and use it.
> This is by no means complete. I will fill in and improve
> in time. Let me know if anything is incorrect or can be improved.
> 
> Currently, I am unable to successfully configure and run labeled
> ipsec in enforcing mode on lspp 55 kernel. I'm working on ironing out
> policy complaints so we can run in enforcing mode. Has anyone else
> tried this?

Thanks for sending this out.

Based on your instructions I'm trying to setup a simple, manually keyed labeled
IPsec connection between two machines running the lspp.55 kernel; both are using
the MLS policy in permissive mode.  Unfortunately, I can't seem to get it to
work; I assume I am doing something wrong but it is not obvious to me ...

* IP addresses

  - sifl: 10.0.0.1
  - olly: 10.0.0.2

* setkey commands

  - sifl

    spdadd 10.0.0.1 10.0.0.2 any
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -P out ipsec esp/transport//require;
    spdadd 10.0.0.2 10.0.0.1 any
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -P in ipsec esp/transport//require;
    add 10.0.0.1 10.0.0.2 esp 84001 -m transport
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -E 3des-cbc "06183223c23a21e8b36c566b"
     -A hmac-md5 "IPSETEST89ABCDEF";
    add 10.0.0.2 10.0.0.1 esp 84002 -m transport
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -E 3des-cbc "06183223c23a21e8b36c566b"
     -A hmac-md5 "IPSETEST89ABCDEF";

 - olly

    spdadd 10.0.0.2 10.0.0.1 any
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -P out ipsec esp/transport//require;
    spdadd 10.0.0.1 10.0.0.2 any
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -P in ipsec esp/transport//require;
    add 10.0.0.1 10.0.0.2 esp 84001 -m transport
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -E 3des-cbc "06183223c23a21e8b36c566b"
     -A hmac-md5 "IPSETEST89ABCDEF";
    add 10.0.0.2 10.0.0.1 esp 84002 -m transport
     -ctx 1 1 "system_u:object_r:unlabeled_t:s3:c1.c5"
     -E 3des-cbc "06183223c23a21e8b36c566b"
     -A hmac-md5 "IPSETEST89ABCDEF";

Any help would be greatly appreciated.

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list